LIXIL THAILAND

Pursuant to the Personal Data Protection Act B.E. 2562 and other related laws, including any further amendments thereof (“PDPA”), LIXIL Thailand, which consists of LIXIL (Thailand) Public Company Limited and Grohe (Thailand) Ltd., has thereupon made this Personal Data Protection Policy (“Policy”) to describe details with regards to the collection, use, disclosure of Personal Data to personnel and staffs of the Company or personnel and employees of third parties representing or acting on behalf of the Company in processing of Personal Data relating to the business operation of the Company, in accordance with the PDPA.

“Company” means LIXIL (Thailand) Public Company Limited or Grohe (Thailand) Ltd. which proceeds with any Personal Data processing under the objectives of the Privacy Notice for each type of Data Subject.

Personal Data” means any information relating to a natural person, which enables the identification of such person, whether directly or indirectly, but not including the information of the deceased persons in particular.

Sensitive Personal Data” means Personal Data consisting of information pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or any of the data which may cause unfair discrimination to the Data Subject or affect the Data Subject in the same manner as specified by PDPA.

Data Subject” means a natural person who owns the Personal Data, such as customers, distributors, dealers, end-users, business partners, service providers, directors, employees, visitors, and any other natural persons whose Personal Data are collected, used or disclosed by the Company.

Data Controller” means a natural person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.

Data Processor” means a natural person or a juristic person who operates in relation to the collection, use, or disclosure of the Personal Data pursuant to the orders given by or on behalf of the Data Controller, whereby such person or juristic person is not the Data Controller.

Legal Basis” means the justifiable ground to collect Personal Data as prescribed in the PDPA.

1. General Personal Data: the collection can only be carried out if one or more of the seven legal basis has been met as follows:
   1. Consent from the Data Subject (Consent Basis)
      

      Where Personal Data cannot be collected by means of any other legal basis as specified in Clause 1.2-1.7 of this Policy, the Company needs to request for the explicit consent from the Data Subject before or while collecting their Personal Data. The absence of a response or inaction is not to be regarded as consent from the Data Subject. Such consent must be made in a written statement, or via electronic means which may be in a form created by the Company (e.g. Letter of Consent). Except where such request for consent cannot be made, the Data Subject may also provide his or her consent verbally, in which case the Company must record the said consent in writing, with details of the method and date of the consent. The Company must store the written record in a safe and easily accessible location. Notwithstanding the foregoing, the Data Subject may withdraw his or her consent at any time, unless there is a law or contract advantageous to the Data Subject which restricts the Data Subject’s right to withdrawal.

      The Company shall always be aware that the Company can only request for the Data Subject’s consent provided that the Data Subject can give consent independently and voluntarily.

      Remark: In the case that the Company shall request for consent from a minor, incompetent or quasi-incompetent person, the Company must obtain consent from the holder of parental responsibility, the custodian or curator who has the power to act on behalf of such Data Subject subsequently. The exception is that if the minor is above the age of ten years, they may give their own consent in cases where legally they can act solely by themselves

   2. For preparing historical documents or the archives for public interest, or for the purpose relating to research or statistics (Archives/Research/Statistics Basis)
      

      The Company may collect Personal Data for purposes relating to the preparation of historical documents or the archives for public interest, or for purposes relating to research or statistics, provided suitable measures to safeguard the Data Subject’s rights and freedoms are put in place as required by law. Notwithstanding the foregoing, the Company may not collect Personal Data solely for the sake of research or statistics purposes; the said collection must also be for one of the other legal basis in this Section as well (e.g. Legitimate Interest Basis).

   3. For preventing or suppressing danger to a person’s life, body or health (Vital Interest Basis)
      

      In some cases, the Company may need to collect Personal Data to prevent or suppress danger to a person’s life, body or health (and the danger need not only be limited to the Data Subject). For example, where it is necessary for the Company to collect Personal Data in an emergency accident involving the Data Subject, the Company does not need to obtain consent to collect, use, or disclose the Data Subject’s Personal Data.

   4. For performance of contract between the Company and the Data Subject, or to proceed with the Data Subject’s request prior to entering into a contract with the Company (Contract Basis)
      

      In situations where it is necessary for the Company to collect Personal Data for the performance of a contract to which the Data Subject is a party of, or for the Company to take steps at the request of the Data Subject prior to entering into a contract, the Company does not need to obtain consent to collect the Data Subject’s Personal Data.

   5. For performing duties in the public interest (Public Interest Basis)
      

      In situations where it is necessary for the Company to collect Personal Data for the performance of a task carried out for public interest by the Data Controller, or it is necessary for the exercising of official authority vested in the Data Controller, the Company does not need to request for consent to collect such Personal Data.

   6. For legitimate interests (Legitimate Interest Basis)
      

      The Company may collect Personal Data from the Data Subject without requesting for his or her consent if it is necessary for the legitimate interests of the Company or any third parties other than the Data Subject. For example, legitimate interests in the business operation of the Company and/or third parties, legitimate interests in securing and protecting property and people within the Company’s premises, legitimate interests in organizational management of the Company and so forth. However, the Company must act with caution when relying on this legal basis to collect Personal Data –the Company may not collect Personal Data by relying on the Legitimate Interest basis where such Interests are overridden by the fundamental rights of the Data Subject, including but not limited to the right to self-determination, the right to liberty, the right to freedom of movement, the right to privacy, the right to freedom of thought, the right to freedom of religion, the right to freedom of expression, the right to peaceful assembly, the right to freedom of association, or where such interests may significantly affect the fundamental rights of the Data Subject. In such case, the Company must not collect Personal Data by relying on Legitimate Interest Basis and should request for the Data Subject’s consent if the Company intends to continue collecting his or her Personal Data.

      The following guidelines is provided for implementing the Legitimate Interest Basis. The Company must assess whether the collection of any Personal Data is in accordance with the following criteria in all respects:

      Whether the Company or third party has legitimate interests to collect Personal Data or not;

      Whether the collection of such Personal Data is necessary for the objective pursuant to Clause (1) or not;

      Whether the Data Subject should expect that the Company is required to collect such Personal Data or not;

      Whether the collection of such Personal Data is of no less importance than the fundamental rights of the Data Subject, or is not the case whereby the fundamental rights of the Data Subject is significantly affected or not; and

      Whether the Company has appropriate Personal Data Protection measures in collecting Personal Data or not.

   7. For complying with the laws enforced on the Company (Legal Duty Basis)
      

      In cases where the law stipulates that the Company is required to collect, use or disclose Personal Data, the Company does not need to request for consent from the Data Subject. This may include processing Personal Data in accordance with court orders or government officials, for example storing employee data to comply with labor protection laws, storing accounting documents for a period specified by the law, etc.

2. In case of Sensitive Personal Data, the Company may collect, use or disclose such Sensitive Personal Data only when the Data Subject has given his or her explicit consent (please see guidelines and methods in Clause 1.1), except where the law provides that:
   1. It is to prevent or suppress danger to the life, body or health of a person, where the Data Subject is incapable of giving consent for whatever reason, such as in cases of emergencies;
   2. It is information that has been disclosed to the public with the explicit consent of the Data Subject;
      1. Preventive medicine or occupational medicine, the assessment of working capacity of the employee;
      2. Public interest in public health;
      3. Employment protection, social security, national health security, social health welfare of the entitled person by law or social protection in which the collection of Personal Data is necessary for exercising the rights or carrying out the obligations of the Company or the Data Subject;
      4. It is for scientific, historical, or statistical research purposes, or other public interests; or
      5. Other substantial public interest e.g. collecting sensitive Personal Data for the purpose of preventing contagious diseases or epidemic, collecting and disclosing sensitive Personal Data to government agencies to prevent money laundering.
   3. It is necessary for compliance with a law to achieve the purposes with respect to:
      1. Preventive medicine or occupational medicine, the assessment of working capacity of the employee;
      2. Public interest in public health;
      3. Employment protection, social security, national health security, social health welfare of the entitled person by law or social protection in which the collection of Personal Data is necessary for exercising the rights or carrying out the obligations of the Company or the Data Subject;
      4. It is for scientific, historical, or statistical research purposes, or other public interests; or
      5. Other substantial public interest e.g. collecting sensitive Personal Data for the purpose of preventing contagious diseases or epidemic, collecting and disclosing sensitive Personal Data to government agencies to prevent money laundering.

      Remark: The guideline for considering and interpreting ‘public interest’ may change according to the guidelines and the definition provided by the Personal Data Protection Committee or as specified in secondary legislation which may be promulgated in the future.

      Details of the type, purpose and legal basis for the collection of Personal Data of the Company will be in the applicable Privacy Notice for different types of Data Subjects.

3. Guidance in collecting of Personal Data
   

   The Personal Data must be collected, solely, to the extent necessary to achieve the objectives as specified by the Company. The Company will only collect data deemed necessary for use, and erase or destroy any unnecessary data received, especially Sensitive Personal Data. This is for the purpose of reducing the risks in unlawfully collecting, using and disclosing the Personal Data by the Company.

   Where the Company has received more Personal Data than is necessary, the Company shall determine a method by which it will solely collect the Personal Data necessary to achieve the objectives of such Personal Data collection. For example, if the Company uses Personal Data to identify its business partner or their representative from a copy of the identification card, and the Company only requires general Personal Data for the identification of such person (i.e. name and photo), the Company should employ a method to prevent the non-necessary Personal Data / Sensitive Personal Data that is contained in the identification card (i.e. religious beliefs and blood type) from being collected and kept in the Company’s possession. This may include erasing unnecessary data received in the identification card, leaving only the necessary Personal Data for identification only.

When Personal Data is collected, used or disclosed, the Company will create and provide a Privacy Notice for various types of Data Subjects. These Privacy Notices will provide details of Personal Data processing, definitions, Personal Data which the Company collects, objectives of collecting Personal Data, legal basis of such collection, retention period or expected duration, type of persons or organizations Personal Data may be disclosed to, contact details of the Company, rights of the Data Subject and other relevant details, so that the Data Subject knows and understand, and consider providing their consent in the event that the collection of the Personal Data is not within the other legal basis which the Personal Data can be collected without consent.
The Company must inform or deliver the Privacy Notice to the Data Subject before or while collecting their Personal Data – this may be done by way of handing physical Privacy Notices to the Data Subject, or by uploading the said Notice onto the Company’s website, and informing the Data Subject of the relevant link. Where the Company has collected, used or disclosed the Personal Data prior to having this Policy, and it is still necessary for the Company to continue to collect, use or disclose that data, the Company must inform or deliver the Privacy Notice to the Data Subject without delay, and again, this may be done by way of informing the Data Subject of the link where the said Notice may be obtained.
The notification or delivery of the Privacy Notice may not be required to be repeated in the event that the Company has previously notified or delivered the Privacy Notice to such Data Subject. However, in the event that the Company makes substantial or significant changes to the Privacy Notice, the Company must notify or deliver such revised Privacy Notice to the Data Subject. This may be done by handing a physical copy of the revised Notice to the Data Subject, or uploading the revised Notice on the Company’s website, and informing the Data Subject of the relevant link.

In general, the Company is required to collect Personal Data from the Data Subject directly. However, if the Company collects Personal Data from other sources which is not from the Data Subject directly, the Company is required to inform the Data Subject of the collection, along with the Privacy Notice, and obtain consent (where necessary) without delay, and in any event within 30 days upon the date of such collection. Except in the case that such notification of Privacy Notice and request of consent has been done by any third party on behalf of the Company, the Company is not required to provide the Data Subject with the Privacy Notice, and obtain consent (where necessary) from the Data Subject again.
Notwithstanding, except in the case the Company is required to use the Personal Data to contact the Data Subject, the Company can inform the Data Subject upon the first communication with the Data Subject. In the case the Company discloses Personal Data, the Company is required to inform the Data Subject prior to the first disclosure.
However, the Company may not have to inform the Data Subject of the Personal Data collection and Privacy Notice if the Company can prove that such notice is not possible, or will obstruct the use or disclosure of the Personal Data, or the Data Subject is already aware of such detailed information. For example, the Data Subject has received the Privacy Notice for other business transactions with the Company and intends to carry out the same transaction with the Company again.
In addition, if the Company hires the Data Processor to collect, use or disclose Personal Data on behalf of and by order of the Company, the Company may assign the Data Processor to provide privacy notices on its behalf, provided the Company ensures that the Data Processor complies with and performs the Company’s obligations as stated in this Policy.

The Company shall be aware that the Data Subject has the right to take any action regarding his/her Personal Data in the Company’s possession as stipulated in the Personal Data Protection Laws. The Company is required to provide a Data Subject Request Form to facilitate the Data Subject notifying the Company of his/her intention to exercise his/her rights. In the event the Company denies the Data Subject’s request, the Company is required to notify the Data Subject of such rejection in writing and record the reasons of such rejection in writing.

When a request is served on the Company by the Data Subject, the Company must respond to the Data Subject’s request without delay, and in any event within 30 days from receiving a request.

1. Right to withdraw consent. The Data Subject may withdraw some or all of his or her consent, which was previously given to the Company, at any time throughout the period the Company has the Personal Data in its possession. The Company must also notify the Data Subject of any practical effects or consequences upon the Data Subject’s withdrawal of consent (if any). Notwithstanding, the withdrawal of consent shall not affect the processing of Personal Data by the Company that the Data Subject has already given consent prior to the withdrawal.
   Reason for denial: The Company may deny the Data Subject’s request only in the following cases:
   1. Legal compliance or contract performance which is beneficial towards the Data Subject.
2. The right to request access to and obtain a copy of the Personal Data. The Data Subject is entitled to request access to and obtain a copy of the Personal Data related to him or her which is in the possession of the Company, or to request the disclosure of the acquisition of the Personal Data obtained without his or her consent.
   Reason for denial: The Company may deny the Data Subject’s request only in the following cases:
   1. The Company has to comply with a legal obligation or court order; or
   2. The Company opines that fulfilling the Data Subject’s request will result in an infringement of the fundamental rights and freedoms of other persons.
3. The right to request to receive and send or transfer of Personal Data. The Data Subject has the right to request for a copy of his or her Personal Data from the Company, or request the Company to send or transfer the Personal Data to another person or organization in a format which is readable or commonly used. This includes the right to receive his or her Personal Data which are transferred and maintained by other companies, personnel or organizations. This request can only be used if the Personal Data has been collected, used or disclosed with consent, or for contract performance, or for requesting to enter into a contract between the Data Subject and the Company.
   Reason for denial: The Company may deny the Data Subject’s request only in the following cases:
   1. Personal Data is used for the performance of a task carried out in the public interest
   2. For compliance with the law
   3. Where such exercise of rights will violate the rights and freedoms of others. For example, the Company may refuse a request where an integral part of the Personal Data relates to the Company’s trade secrets or intellectual property information.
4. The right to object to the collection, use, or disclosure of the Personal Data. The Data Subject has the right to object to the collection, use or disclosure of their Personal Data by the Company in the following circumstances:
   
   1. In the event the Data Subject is of the view that the collection, use or disclosure of such Personal Data is not necessary for the performance of a task necessary for legitimate interests, or to be carried out in the public interest, such as complying with the orders of government officials.
      Reason for denial (for No. 4(1)): The Company may deny the Data Subject’s request only in the following cases: The Company can demonstrate that there is a more compelling legitimate ground than the interests, rights, or freedom of the Data Subject, or the data collection, use or disclosure is carried out for the establishment, compliance or exercise of legal claims, or defense of legal claims.
   2. For the purpose of direct marketing, the Data Subject can object without any conditions.
   3. For the purpose of scientific, historical or statistic research, unless it is necessary for performance of a task carried out for the public interest.

   In the case the Company does not have a reason for the denial of such request, the Company shall proceed to separate the Personal Data out from other data immediately upon receiving the notification of the Data Subject’s objection.

5. The right to erase the Personal Data. The Data Subject has the right to request the Company to erase or destroy the Personal Data, or anonymize the Personal Data (such that Data Subject cannot be identified after the anonymization), where any of the following grounds applies:
   
   1. The Personal Data is no longer necessary to be retained for the purposes for which it was collected, used or disclosed;
   2. The Data Subject has the right to request the Company to erase or destroy the Personal Data, or anonymize the Personal Data (such that Data Subject cannot be identified after the anonymization), where any of the following grounds applies:
   3. The Data Subject withdraws consent, and where the Data Controller has no other legal grounds for such collection, use, or disclosure;
   4. The Personal Data has been unlawfully collected, used, or disclosed.

   Reason for denial: The Company may deny the Data Subject’s request only in the following cases:

   - Storing for the purpose of freedom of expression/expression of opinion;

   - To achieve the purpose relating to the preparation of historical documents, or archives of research, statistics or for pubpc interests;

   - The collection of Sensitive Personal Data is necessary for comppance with the law to achieve the purposes with respect to preventive medicine or occupational medicine, the assessment of working capacity of the employee or pubpc interest in pubpc health;

   - For the purpose of estabpshment, comppance or exercise of legal claims, or defense of legal claims;

   - For comppance with the law.

   Where the Company has disclosed the Personal Data to the public or transferred to other Data Controllers, and the Data Subject has requested for his or her Personal Data to be erased, destroyed, or anonymized, the Company shall proceed to have such Personal Data erased or destroyed, or anonymized. In addition, the Company shall inform other Data Controllers to proceed in the same manner. The Company shall be responsible for the expenses concerning the erasure or destroying and informing as aforesaid.

6. Right to restrict the use of the Personal Data The Data Subject may request the Company to restrict the use of the Personal Data in the following circumstances:
   
   1. The Data Subject has requested that the Company corrects Personal Data in the Company’s possession, whilst the Company considers the request. The Company may deny the said request if after consideration, the Company finds that the Personal Data is accurate, and the Company notifies the Data Subject of the reasons prior to rejecting their request;
   2. When the Personal Data has been processed unlawfully and the Data Subject has requested for a restriction of use instead of deletion of such data;
   3. When it is no longer necessary to retain the Personal Data, but the Data Subject has requested the Company to retain such data for the purposes of the establishment, compliance, or exercise of legal claims, or the defense of legal claims; or
   4. The Company is verifying a Data Subject’s objection to the processing of Personal Data. However, the Company may reject the Data Subject’s request to restrict the use of their Personal Data if after consideration, the Company has grounds to reject the Data Subject’s objection.
7. Right to rectification. The Data Subject may request that the Company ensures that their Personal Data remains accurate, up-to-date, complete, and not misleading.
   
8. Right to file a complaint. The Data Subject has the right to file a complaint to the expert committee as appointed by the Personal Data Protection Committee in the event that the Company or the Data Processor, including the employees or the service providers of the Company or the Data Processor violate or do not comply with the PDPA.
   

All staff and personnel, including all employees and person hired by the Company, are responsible for complying with the laws and this Personal Data Protection Policy and must keep Personal Data strictly confidential and must not use Personal Data received while working as an employee for any inappropriate, personal interest or illegal purposes. The duties of the personnel may be sorted by rank of position as follows:

1. The managing director and upper management level
   Shall be responsible for overseeing all of the Company’s process in relation to the protection of Personal Data:
   1. Designate a person or an organization as the Data Protection Officer (DPO) and/or other personnel or organizations to oversee and handle all matters relating to Personal Data protection of the Company;
   2. Assign employees the responsibility to identify the procedures regarding Personal Data protection, including risk management procedures which may arise from the collection, use and disclosure of Personal Data by the Company, together with the practical guidelines in the event of a data protection violation within the Company;
   3. Implement control and monitor compliance with this Policy, including assessing the suitability of this Policy on a regular basis;
   4. Approve the process of the Policies concerning Personal Data protection, for example ensuring the suitability of this Policy, how Personal Data is protected within the Company, or any amendment of this Policy; and
   5. Consider and approve requests of the Data Subject to exercise his or her rights concerning his or her Personal Data in cases where their request may have a significant impact towards the Company, Data Subject and/or other persons
2. Data Protection Officer (DPO) or Persons Responsible for the Personal Data Protection of the Company
   Shall be responsible for advising and reviewing all of the Company’s Personal Data protection processes as follows:
   1. Analyze, evaluate, audit and control the Company’s Personal Data processing activities and advise personnel or other departments within the Company to ensure the Company’s Personal Data processing activities comply with the PDPA and the Company’s Personal Data Protection Policy;
   2. Review and approve Personal Data protection practices of each department within the Company. This shall include review and approval of practices to manage risks that may arise from the collection, use and disclosure of Personal Data by the Company and methods to solve situations of Personal Data breach occurring within the Company;
   3. Analyze, evaluate and advise personnel and departments within the Company on how to respond to the Data Subject’s request to exercise his/her right in cases where their request may have a significant impact towards the Company, Data Subject and/or other persons;
   4. Report incidents regarding Personal Data processes within the Company to the managing director and executive personnel;
   5. Contact, coordinate and cooperate with the Office of the Personal Data Protection Committee, including proceedings concerning incidents of Personal Data breaches occurring within the Company, within the period specified by law.
   6. Study the details of the Personal Data Protection Act B.E. 2562 (2019), rules, announcements, orders, regulations or other laws relating to Personal Data protection. This shall include to follow up on amendments or revisions of laws relating to the protection of such Personal Data and to notify the Company’s personnel; and
   7. Explain, create an understanding and awareness to the Company’s personnel on Personal Data protection and relevant Personal Data protection laws.
3. Department manager level
   Shall be responsible for supervising the collection, use or disclosure of Personal Data within their department, which may have different characteristics in each department. The responsibilities may be categorized as follows:
   1. Allow any person to access Personal Data or assign the responsibility to an employee to manage the Personal Data within the department;
   2. Provide guidelines and training for Personal Data in the department and ensure that all members of staff in the department understand what type of Personal Data is required to be collected and what type of Personal Data is unnecessary to collect for the operation of the department;
   3. Provide standardized measures to secure Personal Data in the department in accordance with the law and this Policy;
   4. Approve the responses to a Data Subject’s requests to exercise his or her rights and consult with relevant departments, including consulting with personal data protection officers or persons responsible for the Personal Data protection of the Company and reporting to management to request for their approval if the request may have a significant impact towards the Company, Data Subject and/or other personnel;
   5. Consult with management and personal data protection officers to determine appropriate Personal Data protection practices;
   6. Provide a record of the collection, use or disclosure of Personal Data of the department in accordance with the lists specified herein this Policy;
   7. Keep a report of all Personal Data breaches and consider whether such breach will affect the rights and freedoms of the Data Subject, including consulting with personal data protection officers or persons responsible for the Personal Data protection of the Company and management to consider whether any appropriate action needs to be taken in accordance with this Policy; and
   8. Notify the supervisor and/or the DPO immediately if they become aware of any Personal Data privacy breach.
4. Staff level
   Shall act strictly in accordance with the laws and this Policy to protect Personal Data, in particular the following steps:
   1. Collect, use and disclose Personal Data in accordance with the law and this Policy, including participating in training regarding Personal Data protection of the Company;
   2. Perform duties assigned to protect Personal Data while handling Personal Data, for example the security, transmission, disclosure or recording Personal Data etc.;
   3. Inform supervisors when the collection, use or disclosure of Personal Data in the Company or any action they were instructed to carry out is unlawful. In addition, to further inform supervisors when the collection, use or disclosure of any Personal Data may pose a risk of violation to the fundamental rights and freedoms of Data Subjects;
   4. Request that the supervisor approves any Data Subject’s requests to exercise their rights; and
   5. Notify the supervisor and/or the DPO immediately if they become aware of any Personal Data privacy breach, whether it is a deliberate misconduct or negligence of any party whatsoever and regardless of whether the breach poses a risk of violating the fundamental rights and freedoms of Data Subjects.
5. Contractors and service providers who are the Data Processor of the Company
   Shall act strictly in accordance with the laws and policies to protect Personal Data and will be bound under the Data Processing Agreement with the Company (if any). Such responsibilities include:
   1. Collect, use and disclose Personal Data in accordance with the law and this Policy, including participating in training regarding Personal Data protection of the Company upon request;
   2. Notify the Company without delay and within 24 hours if there is a breach of Personal Data protection from the moment of becoming aware of the breach; and
   3. Support and assist the Company in responding to the Data Subject’s request in exercising their rights.
   Violations of the law and this Personal Data Protection Policy by employees may result in disciplinary action, and any violation of the law or this Policy by the contractor or service provider which is the Data Processor of the Company may also be regarded as a breach of contract with the Company. If such violation or non-compliance results in damage to the Company, the Company reserves the right to terminate the employment or agreement. In addition, there may be criminal penalties, fines and imprisonment for the Company’s representative who breaches or fails to comply with the law. Thus, employees and related parties should review and strictly adhere to this Policy and the law regarding Personal Data protection.

The Company must provide appropriate security measures, from both policy and technical perspectives, in order to prevent any loss, unauthorized access, use, alteration, or disclosure of Personal Data. In addition, the Company shall further review such measures when it is necessary or when there is any technology advancement to ensure that Personal Data is treated in a secure manner in the Company and in accordance with the standards prescribed by the laws.

The Company must arrange a record of usage and disclosure of collected data which shall consist of, at the very least:

1. The lists of the collected Personal Data with the objectives and the retention periods,
2. The usage or disclosure of Personal Data under the legal basis other than consent,
3. The rights, method and condition for exercising of rights to access the information of the Data Subject,
4. Rejection or objection of request to exercise the rights, including the reasons as defined herein this Policy, and
5. The explanation of security measures which the Company has prepared.This is for the purpose of allowing the Data Subject to examine and enforce their rights, as well as to facilitate disclose to the authorities upon their reques

The explanation of security measures which the Company has prepared.This is for the purpose of allowing the Data Subject to examine and enforce their rights, as well as to facilitate disclose to the authorities upon their request

The Company may send or transfer Personal Data to foreign countries under the following circumstances:

1. The destination country or international organization that receives such Personal data has adequate data protection standards.
2. In the event the Personal Data protection standard of a destination country or international organization is inadequate, the transfer of Personal Data must be carried out in accordance with the following:
   1. Where it is for compliance with laws;
   2. Where the explicit consent of the Data Subject has been obtained, provided that the Data Subject has been informed of the inadequate Personal Data protection standards of the destination country or international organization;
   3. Where it is necessary for the performance of a contract to which the Data Subject is a party to, or in order to take steps at the request of the Data Subject prior to entering into a contract;
   4. Where it is for compliance with a contract between the Company, and other persons or juristic persons for the interests of the Data Subject;
   5. Where it is to prevent or suppress danger to the life, body, or health of the Data Subject or other persons, when the Data Subject is incapable of giving the consent at such time; or
   6. Where it is necessary for carrying out activities in relation to substantial public interest
3. The Company may send or transfer Personal Data to another person or juristic person who is in a foreign country and is in the same group/affiliated companies without having to proceed with the prior specification above, provided the Company has put in place a Personal Data protection policy regarding sending or transferring Personal Data within the group/affiliated companies, and such policy has been reviewed and certified by the Office of the Personal Data Protection Committee.
   Currently, the Personal Data Protection Committee has not yet established a list of countries with sufficient standards nor adopted certification policies for sending or transferring the data within the group/affiliated companies. However, the Company is entitled to send or transfer Personal Data to foreign countries or international organizations if the Company has appropriate security measures of Personal Data which enable the enforcement of the rights exercised by the Data Subjects, including having effective legal remedies in accordance with the standards prescribed by the law. Notwithstanding, as the laws have not prescribed such measure, the Company is able to proceed on the sending or transferring of Personal Data to be in accordance with Clause 2 until the law relating to such matter is a further promulgated

Upon the breach of Personal Data incurred within the Company in which the cause of violation risks affecting the rights and freedoms of the Data Subject, employees and personnel shall coordinate to conform with the law. The Company is obliged to notify the breach to the Office of the Personal Data Protection Committee without delay and within 72 hours after having become aware of it and to the possible extent. In the event where such violation has a high risk to cause an effect towards the right and liberty of the Data Subject, the Company must inform the breach incident to such Data Subject and the remedy measures without delay.
In order for the Company to comply with the obligations above, all employees must inform their supervisors and the DPO immediately as soon as they become aware of a breach or a potential breach.

This Personal Data Protection Policy will be amended and rectified as appropriate. It shall be subject to the amendment of laws and the appropriateness of business.
Note: This Policy has recently been revised on January 17th, 2022.

Any question regarding personal data protection or in the event that you would like to report a violation of personal Data, please contact:
Data Protection Officer (DPO)
LIXIL (Thailand) Public Company Limited (Sale office)
89 AIA Capital Center (25th floor), Ratchadaphisek Road,
Din Daeng, Bangkok 10400, THAILAND
T: + 66-61421-6225
e-mail: dpo.th@lixil.com